Skip to content
Threat Feed
critical advisory

Tenda F456 Router Buffer Overflow Vulnerability

A buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 in the `fromGstDhcpSetSer` function, allowing remote attackers to execute arbitrary code by manipulating the 'dips' argument via a crafted HTTP request to `/goform/GstDhcpSetSer`.

A critical buffer overflow vulnerability, identified as CVE-2026-7081, affects Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromGstDhcpSetSer function within the /goform/GstDhcpSetSer file, a component of the device’s httpd service. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread exploitation. This vulnerability poses a significant threat as it can lead to complete compromise of the affected device, potentially allowing attackers to gain unauthorized access to the network, steal sensitive information, or use the device as part of a botnet.

Attack Chain

  1. The attacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) exposed to the internet.
  2. The attacker crafts a malicious HTTP POST request targeting the /goform/GstDhcpSetSer endpoint.
  3. The HTTP request includes the dips argument, which is intentionally oversized to trigger the buffer overflow.
  4. The vulnerable fromGstDhcpSetSer function processes the request without proper bounds checking.
  5. The oversized dips argument overwrites adjacent memory regions on the stack.
  6. The attacker carefully crafts the overflow to overwrite the return address with an address pointing to attacker-controlled code.
  7. The fromGstDhcpSetSer function returns, causing execution to jump to the attacker’s code.
  8. The attacker’s code executes with the privileges of the httpd process, potentially leading to full device compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F456 router. This can result in complete device compromise, including the ability to modify device settings, intercept network traffic, and potentially use the compromised device as a pivot point for further attacks within the network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, making this a significant security concern.

Recommendation

  • Monitor web server logs for suspicious POST requests to /goform/GstDhcpSetSer with unusually long dips parameter values to detect potential exploitation attempts.
  • Deploy the provided Sigma rule Detect Tenda F456 Buffer Overflow Attempt to identify malicious HTTP requests.
  • Since no patch is available, consider replacing the affected Tenda F456 routers (version 1.0.0.5) with more secure alternatives.

Detection coverage 2

Detect Tenda F456 Buffer Overflow Attempt

critical

Detects suspicious POST requests to /goform/GstDhcpSetSer with overly long 'dips' parameter, indicating a potential buffer overflow attempt in Tenda F456 routers.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detect Large POST Request to Tenda Configuration Interface

high

Detects abnormally large POST requests to the Tenda router's configuration interface, which can be indicative of buffer overflow exploitation attempts. Focuses on requests exceeding a certain size threshold.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →